Guest
Controller/Processor and DPO
Our company provides a School Information/Management System to schools worldwide. The schools determine what data they want to collect about the families/students and how they will use it in regards to the operation of the school. We develop, maintain and operate the database where all of this information is stored and accessed by numerous entities in the school and including parents. Employees from our company also access the school site to help in training, importing data into our system, and of course customer support.
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Expert
Andrei Hanganu
Feb 15, 2018
Normally most schools collect, names, addresses, birthdays, sex, race, religion, phone numbers, etc. This is not dictated by us, but is relevant to any reporting the school needs to do.
1. Controller/Processor: We are fairly confident that we will need to assume the role of controller and processor.
2. DPO - Again, we believe we will need a DPO or need to assign someone in the company the responsibility of overseeing our GDPR compliance. We have based this decision on the fact that student information saved in our da tabase can be processed by the schools in the form of reports for internal and external purposes.
Based on the information I have included would you agree?
Answer:
For your first questions you cannot be processor and controller for the same processing activity. From the description it seems to me that for the processing activity you mentioned you are a processor and the schools are the controllers because they are the ones deciding the means and purposes for the processing while you are just providing the system which they use.
As for your second question, especially because most of the personal data belongs to minors and because you are also processing sensitive personal data such as religion I would advise you to appoint a DPO.
You can find out more about the tasks of DPO in out article “The role of the DPO in light of the General Data Protection Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
I also invite you to go through our online training GRPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//
1. Controller/Processor: We are fairly confident that we will need to assume the role of controller and processor.
2. DPO - Again, we believe we will need a DPO or need to assign someone in the company the responsibility of overseeing our GDPR compliance. We have based this decision on the fact that student information saved in our da tabase can be processed by the schools in the form of reports for internal and external purposes.
Based on the information I have included would you agree?
Answer:
For your first questions you cannot be processor and controller for the same processing activity. From the description it seems to me that for the processing activity you mentioned you are a processor and the schools are the controllers because they are the ones deciding the means and purposes for the processing while you are just providing the system which they use.
As for your second question, especially because most of the personal data belongs to minors and because you are also processing sensitive personal data such as religion I would advise you to appoint a DPO.
You can find out more about the tasks of DPO in out article “The role of the DPO in light of the General Data Protection Regulation” https://advisera.com/eugdpracademy/knowledgebase/the-role-of-the-dpo-in-light-of-the-general-data-protection-regulation/
I also invite you to go through our online training GRPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
Feb 15, 2018
Feb 15, 2018
Feb 15, 2018